I know that sponge functions are different in many ways. Yet I'd like to know if SHA-3 can nonetheless be said to be "based", if not simply "inspired", by the Merkle-Damgård construction. To be more precise it seems to be a wide-pipe construction followed by an entropy collection procedure.

2 Answers
2

I have to agree that they are similar aren't they? Block after block with a chain value /state passed along. The two constructions are show below...

If they were substantially different, one would look like

Or a crocodile. At a certain (reasonable) level of abstraction, they both produce a hash value by successively updating a state passed from message block to message block. A permutation isn't semantically a million miles away from a compression function, especially if you wiggle about the location of the XOR operator. With the XOR, they both feature a compression function. It's not like saying a plane is a motorbike, but rather a jet is derived from a propeller plane. Sure there are unique minor implementation issues, but the substantive architecture remains constant. It's probably true to say that Keccak was more than "inspired" by Merkle-Damgård. And in the hash mode, Keccak outputs a hash.

Where it gets more difficult to equate the two is the alternate mode of random number generator. After the MD calculates the final hash, it stops. On the other hand, the sponge can infinitely iterate itself producing pseudo random output. The only way I can get MD to do this is to add a counter as additional message blocks and repeatedly output the updated state. So still doable.

I think that if they both look similar architecturally, and both produce similar outputs hash wise and PRNG wise, one has to conclude that they're properly similar. It's called the Duck Test.

$\begingroup$Your PRNG construction seems broken (at least, if you use for later steps the results which were already output – then an adversary can repeat it). You need to hide the intermediary input.$\endgroup$
– Paŭlo EbermannJan 13 '18 at 16:22